Training...Asset or Risk?

As security professionals, we are accustomed to identifying assets and protecting them. We are also familiar with the process by which this is accomplished: identify our assets, identify the threats to those assets, assess our vulnerability to those threats, and - finally - manage the risk by decreasing the threat or vulnerability.

Most of us are also accustomed to assuming that our own professional training, and the training of our team members, is a key tool in the ongoing process of reducing the risks faced by our organization. This is certainly the case, but it is equally important to recognize the ways in which the converse can be true. Inadequate training is, in and of itself, an additional risk factor, and - as with more traditional threats - we need reliable means of assessing the risks posed by inadequate training.

This is particularly true considering the significant developments that have taken place over the last few decades in the various areas which comprise security management. In every area, from IT to patrol, the expectations for security professionals have changed dramatically. If your training methods and protocols have not kept pace, and if you have not updated your means of evaluating those procedures, then your training program could prove more of a liability than an asset. All security organizations can benefit from a structured, formal approach to assessing the effectiveness of the level of training within their workforce.

Although the methods and mechanics of that assessment must adapt to changing environments, the basic principles are well established. Thirty years ago, Dr. Norman Bottom published an innovative systems approach to security management, in which he identified "Training" as one of the tripartite fundamentals of loss control, and along with that observation he introduced the acronym WAECUP:

Waste

Accident

Error

Crime

Unethical Practices1

The WAECUP model asserts that these variables, and their inter-relationships, are at the heart of what security professionals must protect against. A loss due to any one of the above variables has the potential of escalating into additional losses, not the least of which may be those associated with subsequent civil litigation. One means of assessing the efficacy of a training program, therefore, is identifying whether or not it is sufficiently comprehensive to address potential threats and vulnerabilities associated with all of the identified categories.

In addition to this general framework, it is important to assess training in terms of measurable standards. When I conduct an assessment of an organization's training, I typically ask three initial questions to determine whether or not their personnel are properly trained. I'm sure it is not always the case, but it has been my experience that the organization's approach to training is likely to be risk-laden if the answer to any of the following questions is "no."

Is requisite training based upon currently published guidelines and standards?

Is there evidence validating that members of the organization possess the knowledge, skills and abilities expected or required of them?

Are the training programs reviewed and updated by qualified experts?

Complying with Guidelines and Standards

It is beyond the scope of this article to enumerate the vast number of valid sources for guidelines and standards. They range from state laws to professional accrediting bodies, and they include published research regarding "best practices" and industry norms. It is nevertheless incumbent on every security professional to seek out those sources and translate them into clear, documentable, assessable guidelines for organizational training. Put simply, if a recommended guideline exists and is relevant to our operation, failure to apply that recommendation makes us vulnerable to WAECUP and/or civil litigation.

The first place to start is government guidelines. Many training programs, even in national organizations, are still relying on the conclusions of the earliest studies on security procedures: the Rand Study (1971)2 and the National Advisory Commission Report (1974)3. Although these studies were groundbreaking for their time, over the past forty years many state and federal agencies have moved far beyond the foundation laid by this early research. It is incumbent on all security professionals that they continually research the constantly-evolving federal and state guidelines relevant to their organization, and then assess their training accordingly. At a minimum, this should include familiarity with:

National Institute of Standards and Technology (starting with the "FISMA Implementation Project")

National Incident Management System; and

Sarbanes-Oxley Act (especially relevant for IT security requirements)

This is only the beginning. In addition to government guidelines, security professionals also need to regularly evaluate the relevance of recommendations published by other entities. Although these publications cover a wide range of specialties, the ones that are relevant to the assessment standards I recommend must all meet a common criterion. They are all developed through an in-depth process of research, discussion and expert consensus. The flow chart included in this article illustrates one example of that process [see chart, p9: www.asisonline.org/guidelines/docs/SGquickReferenceGuide.pdf]. As a starting point, all of the following are useful sources: